Analyzing Brute Force Attempts in BASH

If you have a public facing SSH server running on the standard port, your message log is probably filled with failed authentication attempts from brute force attacks. Let’s mash up some quick BASH commands to analyze this data. For our purposes, we’ll look at the top attacker IPs and the top usernames tried.

First, pull down all of your message files and decompress them in a working directory using bunzip2.

Once you have all your message logs ready, we will search through them and pull out all of the authentication failure entries and grab the IP and username for each attempt.

grep -r "authentication error" messages* | awk '{split($0,a," "); print a[NF],a[NF-2]}' > attempts

So we first use grep to look for failed authentications by searching recursively for the string “authentication error” in all of our message logs by using the wildcard. We then pipe this to awk and split each input line found into an array delimited by a whitespace. The last part of each line, and therefore our new array, goes something like: ‘authentication error for USERNAME from IP’. So to get the username and IP from our array we can use the array length variable NF and use that to index the variables we need. Here we grab the last using a[NF] and two in from that with a[NF-2]. Finally, we output this to a file called attempts.

Now, let’s use more BASH magic to do the analyses for us. Our attempts file now is in the format as follows: IP USERNAME. We want to see the top IPs and usernames and we can do that with some sorting commands.

cut -d ' ' -f2 attempts | sort | uniq -c | sort -nr > attempts_username
cut -d ' ' -f1 attempts | sort | uniq -c | sort -nr > attempts_ip

Here, we simply grab either the username in the second column or the IP in the first with cut, sort this data, prepend lines with the number of occurrences of each, and then sort by this occurrence number and output to a new file. You can now view attempts_username and attempts_ip to see the top usernames and IPs, respectively, of brute force attacks.

Lastly, we can associate the keep usernames and IPs together and sort on one or the other to see the correlation between the two. To end our initial analyses, we will sort on usernames and find out for the top attempted usernames, what are the top originating IPs.

 sort -k 2,2 attempts| uniq -c | sort -nr | head -n 10

Next time we will be using some GEOIP methods to see where our top attack attempts are originating.

Amazon Prime Streaming – Another Netflix Alternative for Linux?

Amazon announced this week that Prime users would now have access to a pool of free content to stream instantly from the video-on-demand portion of their website.

While the content might not be the latest and greatest blockbuster movies and shows, it is a substantial amount of content and worthy to be considered a viable contender for the streaming market. Take a look at the Netflix instant content pool. It’s pretty substantial now, but it still does not contain the latest movies (which are home rental only for the most part). Also consider that when Netflix instant started it was a rather meager offering of mostly meh content. Given such, it might be a sign of possible things to come for Amazon streaming.

Prime being a $79 a year opt-in might seem steep. If you are already a prime member, then it’s a moot point or better, further validates your spending $79 a year so you can get that video game on release date for free or so you can get that $10 paperback second day without having to pay the sub-$25 shipping penalty. If you aren’t a prime member, this seems like a great time to jump in. Along with awesome shipping, you can now stream movies and television instantly as well.

Still not sold? Here’s the cool part for us linux (or *BSD, etc) guys and girls: streaming is system independent, and so far seems to also be browser independent. Can you view Flash? Then you should be ready to roll watching Amazon’s instant content.

Now with Hulu (and Hulu-desktop) and Amazon instant being friends of an operating system independent approach, will that push Netflix along to allow all of us paying customers with Linux to utilize the instant features? Or will Netflix keep it’s head buried in the sand and stay cozy with Microsoft? Remember when we thought Flash was so evil, well looks like Silverlight has trumped that by leaps and bounds.

Before ending, I’ll make a quick note on performance. As of now, streaming is around 480p (supposedly). I’ve tested it out on two media PCs both running linux; Fedora setup connected to a 50″ plasma via HDMI and an Xubuntu setup connected to a 32″ CRT via s-video. Both setups streamed very nicely, and while it obviously isn’t in HD, even on the 50″ television, the quality was just fine. The big positive performance point (sorry) was that there was not a single buffer wait, stutter, or hiccup in the stream. Granted, this isn’t a very scientific comparison, but I wouldn’t be surprised to see the power of Amazon shining through in the technical side of the streaming business. I mean they already figured out a nice way to stream content without sleeping with Microsoft to keep the bad guys from ripping content. [Update: There are HD options available. The Best of NOVA #6 and Yellowstone are both offered in an HD version and looked and streamed great.]

Prime member? Check it out. Not a Prime member? Seems like  a great time to join in, especially if you are a frequent Amazon shopper.

Serving a Printer to Google Cloud Print from Linux

Been waiting for Google Cloud Print to finally come to linux?

The wait is over!

For now, Google has only released the ability to serve up a printer to the Google cloud via Windows while explicitly noting that the capability to do so in Linux is on the way. However, the entire ‘Cloud Aware’ printer scheme has seemed to always been referred to as coming-soon and that is probably a ways off yet. So I remain skeptical as to when we will actually see this ability. [update: There are some out there now and reviews are trickling in.]

Luckily, Armooo posted a python script that you can run on Linux (and I assume *BSD, but haven’t tested just yet) to serve up your local CUPS printer to the Google Cloud.

The script can be found here at his Github page and uses Python and PyCups to serve up your CUPS-enabled printer to the Google Cloud.

I have the HP Laserjet Pro P1102W printer served up locally via CUPS. It’s connected to the Linux desktop I am running the cloud print script from using USB and runs extremely well in Linux using the newest HPLIP. The printer is this one here: HP LaserJet Pro P1102w Printer (CE657A#BGJ); this printer will be discussed in another post about Linux printer setups.

Once your printer is setup and working locally and you have confirmed that CUPS is serving it up fine, you simply run Armooo’s script and it will serve up all of the found CUPS-based printers to the cloud. You can then print from any Google Print enabled device or the Chrome browser as discussed here.

~/bin/cloudprint$ ./
Google username: [email protected]
Password: yourpassword
Added Printer HP-LaserJet-Professional-P1102w

I then used my phone to go to the mobile Google Docs page and from there I could print out a document directly to the printer at home. Worked like a charm.